Watchguard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series – Fireware XTM OS 11.5.2 Build # 337008 has been release and can be downloaded via the Watchguard website http://www.watchguard.com/

This major XTM OS Release introduces the following changes/improvements:

Significant enhancements introduced in this release include:

• Application Control now offers a deny message to users whose HTTP requests are blocked
• New Advanced Search for log messages added to Log and Report Manager
• Mobile VPN with SSL now supports multiple authentication servers and Active Directory authentication domains
• Management Server device configuration template improvements
  • Ability to create a device configuration template from an existing configuration file
  • Inclusion of hosted WebBlocker Server settings in template for XTM 2 Series and XTM 33 devices
  • Policy order in a template is preserved when you apply the template to an XTM device
• Support for FireCluster for XTM 330 appliances

Minor enhancements include:

• The ability to select the port used to send email notifications from the Log Server
• An updated list of trusted Certificate Authorities for proxies
• Diagnostic log messages for the Terminal Services Agent and TO Set Tool
• SMTP-proxy TLS encryption rules now limited to a maximum of 200 bytes

The following bugs/issues have also been resolved in this release

General

• After you reboot your XTM device, you no longer see the warning “Cannot create directory `/etc/wg/tmp’”. [62883]
• A problem that caused some XTM 8 Series devices to reboot because of a kernel crash has been resolved in this release. [64465]
• ICMP redirects are now handled correctly after you upgrade from Fireware XTM v11.4.2 to v11.5.2. [64589]
• Several problems that resulted in device configuration changes requiring a reboot to take effect have been resolved in this release. [64201, 64763]
• A memory leak in the SNMP daemon has been corrected. [63860]
• This release resolves problems that occurred during an upgrade from Fireware XTM OS v11.3.x. [64815]

Networking

• When you configure policy-based Dynamic NAT with the Source IP option, you no longer need to add the Source IP address as a secondary address on the external network. [64292]
• A default route is now correctly added when you enable Eth0 as an external interface. [63588]
• This release resolves a problem with server connection stability when you use an SNAT load balancing action in your configuration. [64280]
• It is no longer necessary to reboot your XTM device after you change the wireless guest network. [64415]
• Dynamic NAT now supports nested aliases. [58991]
• Dynamic NAT now works correctly when configured with an IP address range. [45005]
• Branch office VPN tunnels can now successfully be created to use 1-to-1 NAT configured with an IP address range. [65105, 64480]
• The multi-WAN Link Monitor now works correctly. [62535, 64817, 61487]
• Multi-WAN now works correctly when configured in Routing Table mode, with the Link Monitor configured to use both ping and TCP using domain name. [61564]
• XTM 2 Series Gigabit interfaces are now correctly labeled in the Firebox System Manager Status Report. [60621]
• QoS marking now works correctly in proxy policies. [63518]
• Multicast traffic can now pass through a branch office VPN on an XTM device configured in drop-in mode. [62234]

Proxies

• The default proxy trusted CA list has been updated to match the ones in most major popular browsers. [64438]
• A problem that caused some HTTP downloads to stall when you use the HTTP proxy with IPS enabled has been resolved. [63136]
• This release includes improvements to the clean-up of stale proxied connections that could prevent new connections from being allowed. [63574, 64519]

FireCluster

• A problem that caused the master XTM 8 Series device in a FireCluster to reboot because of a kernel crash has been resolved. [63683]
• High UDP traffic levels through a branch office VPN tunnel that terminates to a FireCluster no longer cause the FireCluster to reboot. [64251]
• The FireCluster synchronization timeout has been increased to prevent synchronization failures. [63231]
• A problem with the maintenance of the static ARP list for an active/active FireCluster has been resolved to improve FireCluster stability. [64440]
• This release includes improved proxy debug log messages for FireCluster users. [63793]
• A problem that caused a FireCluster to crash and reboot has been resolved. [64669]
• A problem has been resolved that sometimes caused the FireCluster master to reboot when you used the CLI to remove a member. [64518]
• The Status Report cluster load balancing algorithm label has been corrected from “Lease Connections” to “Least-connections”. [64684]
• A problem that caused DHCP leases to fail to synchronized with the backup member has been fixed. [64148]
• The backup member no longer crashes when the FireCluster is under heavy proxy traffic load and a manual failover is initiated. [64226]
• A problem that caused some active/active FireClusters to fail when configured with branch office VPN has been resolved. [64909]
• In a FireCluster environment, log messages are now consistently and correctly sent to the Log Server.  [64983]

Mobile VPN with SSL

• The Mobile VPN with SSL Mac client now correctly removes the previously assigned DNS server addresses after it is disconnected. [64418]

Mobile VPN with IPSec

• A problem that resulted in a stack trace with the error message “Iked stack trcace eip=0x080c4013” has been resolved. [65026]

Branch Office VPN

• Packets with a total data size value between 1507 and 1538 now correctly pass through a branch office VPN tunnel. [63764]
• You can now correctly configure 1-to-1 NAT with an IP range for a branch office VPN tunnel. [65105]

Authentication

• A problem that caused the SSO Event Log Monitor to crash has been fixed. [64824]

WSM & Management Server

• The  Apache httpd server bundled with WSM has been upgraded to version 2.2.21. [58220, 64556]
• IPS  is now correctly shown as enabled/disabled within an XTM template. [64124]
• The “Add Device” wizard now correctly detects and configures the gateway device with the private IP address of the Management Server. [64498]

Policy Manager

• The backup archive password is no longer recorded in the log file. [64088]
• Attempts to save configuration changes for new features to an XTM device running Fireware XTM v11.4 are now detected and handled correctly. [64609]

Web UI

• The WatchGuard Authentication policy is no longer deleted when you disable Mobile VPN with SSL from the Web UI or CLI. [65234]
• Gateway AV can now be enabled in an SMTP proxy action from the Subscription Services > Gateway AV > Configure page. [62464]

Security Services

• A problem that caused Gateway AV to fail when performing archive file scanning has been resolved. [64898, 65114]

Logging & Reporting

• The log level setting now works correctly for DHCP log messages.    [57096]
• Corrupt Log or Report Server database tables no longer cause an upgrade to the new v11.5.x database schema to abort. [64726]
• This release corrects multiple issues with restoring log files from backup archives. [64141, 65173]
• You can now export log search results from the Log and Report Manager. [63198, 42489, 62608]
• The Log and Report Manager Logs > Devices list now includes the serial number for each device. [63786]
• WatchGuard Server Center no longer resets the  start time to a previous value when a report schedule is edited. [64980]
• Users with permission to view only reports can now see all the reports they have access to. [65127]
• The Alarms Summary report is now available in the Log and Report Manager Dashboard and Devices sections. [64420]
• The default pivot (Users or Hosts) can now be set for the graphs available on the Log and Report Manager Dashboard tab. [65098]
• Percentage and Total count statistics have been added to a number of summary reports in Report Manager. [62981, 63019]